Support Center > Search Results > SecureKnowledge Details
Check Point R81 for Scalable Platforms Technical Level
Solution

Table of Contents:

  • What's New
  • Downloads
  • Known Limitations
  • Documentation
  • Revision History

Security at Hyperscale

Operational Supremacy

Cloud-Level Resiliency

On demand expansion available for
Security Gateways of all sizes 
Introduces new and simple ways to architect and
manage cyber security 
Delivering the highest standard of resiliency with
Telco-Grade Technology 

What's New

Welcome to Check Point’s Cyber Security Platform. R81 is the industry’s most advanced Threat Prevention and security management software that delivers uncompromising simplicity and consolidation across the enterprise. Whether it is deploying the latest technologies and security to protect the organization or expertly crafting security policies, R81 new features include: Infinity Threat Prevention, the industry’s first autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles keeping policies always up to date. Policies are installed in seconds, upgrades require only one click, and gateways can be simultaneously upgraded in minutes. R81 further features secure connectivity for encrypted traffic utilizing the latest standards including TLS 1.3 and HTTP/2. In addition, the Scalable Platform software is now aligned with the R81 Cyber Security Platform bringing feature parity to Check Point Maestro.


Infinity Threat Prevention

Show / Hide this section
Infinity Threat Prevention is an innovative management model that:
  • Provides zero-maintenance protection from zero-day threats, and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.
  • Empowers administrators with out-of-the-box policy profiles based on business and IT security needs.
  • Streamlines the configuration and deployment of policy profiles across gateways.
  • Provides simple and powerful customization to best serve your organization’s needs.

Threat Prevention

  • Manage your custom intelligence feeds through SmartConsole. Add, delete or modify IoC feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
  • FTP protocol inspection with Anti-Virus and SandBlast Threat Emulation. 
  • Improved use of IoCs for indicators based on source IPv4 and IPv6 addresses.
Note - Administrators can still perform granular manual changes to override Check Point’s recommended policies and profiles.

Threat Extraction

Automatic Engine Updates – Like the automatic updates to the Threat Emulation engines, you can now receive Threat Extraction updates automatically on your gateways. There is no need to update to a hotfix or a major version. Security improvements, new features and more do not require intervention.

Anti-Virus and SandBlast Threat Emulation

Enhanced Support for Archive Files – includes significant improvements in handling archive files:
  • Support for password protection for all supported file types, including .7z and .rar. For more details, please refer to sk112821.
  • An improved mechanism to “guess” passwords automatically when it opens password protected archives for emulation.
  • Added support for password-protected archives when the password includes Unicode characters.
  • Stability improvements.
Faster delivery of an emulation verdict for documents with embedded files.

Enhanced Support for Password-Protected Documents:
  • Admins can now configure a default action for password-protected documents. If such a file is emulated, the file is allowed or blocked by default. To configure a default action, follow the instructions in sk132492.
New File Types and Protocols:
  • Attachments from Nested MSG Files - Threat Emulation now supports emulation for files that attach to MSG files that attach to other MSG files.
  • Support for new Archive Formats - WIM, CHM, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, MBR, MSI, NSIS, NTFS, QCOW2, RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, LZH, ARJ, CPIO, AR.
  • SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection.SMBV3 Multi-Channel Connections – Multi-channel file transfer is on by default on all Windows operating systems. The Check Point Gateway is now the only one in the market that inspects large file transfers through SMBv3 (3.0, 3.0.2, 3.1.1) over multi-channel connections.
Enhanced Logging for Emulated Archive Files:
  • The archive file log includes the names of all the files inside.
  • A new log generates for every extracted file from the archive with its emulation results. This log contains the name of the archive file. Logs correlate easily between the archive file and those of the files it contains.
Importing SHA-256 IOCs - Anti-Virus now supports SHA-256 hashes as Indicators of Compromise (IOCs). Administrators can import SHA-256 IOCs manually or connect the gateway to a live feed of SHA-256 IOCs. For more information, refer to sk132193.

Replacing the Threat Emulation API Certificate – Administrators can now upload their own certificate to use for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.

Email Security:
  • Enhanced Support for POP3 and IMAP protocols - Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail over the POP3 protocol and improve inspection of e-mail over the IMAP protocol.
  • Enhanced Protection against BaseStriker - MTA Gateways now protect against malicious emails with URLs that use the BaseStriker technique.
  • Bounce Messages Behavior Change - Modifies the configuration of the MTA so that it tries to send bounce messages only once whether it reaches its destination or not.
  • Enhanced Threat Emulation inspection for files behind shortened links - The body of an email sometimes includes customized Bitly links that point to files. With this release, Threat Emulation scans the files behind these links to detect zero-day attacks. This capability requires Threat Emulation and Anti-Virus to be enabled and MTA must be configure for the Security Gateway
Other Enhancements:
  • Dynamic, Domain and Updatable Objects can be used in Threat Prevention and HTTPS Inspection Policies.
  • Domain objects enchantment - DNS passive learning. For more information see sk161612.

Security Gateway and Gaia

Show / Hide this section

HTTPS Inspection

  • HTTPS Inspection supports the FutureX Hardware Security Module (HSM) by storing outbound HTTPS Inspection cryptographic keys and certificates on the HSM server.
  • Check Point's Security Gateway now supports HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
  • Implementation of TLS 1.3 for SSL inspection.
Note - TLS 1.3 is off by default and is only applicable when USFW is used.

Access Control

  • Support an unlimited number of languages in UserCheck objects. 

URL Filtering

  • Improved scalability and resilience.
  • Extended troubleshooting capabilities.

Application Control

  • Improved performance, diagnostics and monitoring tools.

Voice over IP (VoIP)

  • Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.

Remote Access VPN

  • Machine Certificate Authentication - use machine certificate to distinguish between corporate and non-corporate assets adding the ability to restrict access to corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).
  • Significant performance improvements for Remote Access VPN clients in Visitor Mode.
  • Support for strongSwan IPsec clients on different Linux distributions.

Policy Installation

  • Concurrent Security Policy installation - One or more administrators can run multiple installation tasks of different policies on multiple gateways at the same time.

NAT Rule Base

  • Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects. 
  • A hit count for NAT rules.

Identity Awareness

  • Identity Awareness nested groups - Discovers all the groups a user belongs to from the branch specified in the LDAP account unit in one query.
  • Enhancements to Terminal Servers Agent for better scaling and compatibility.
  • Security ID (SID) support for Identity Awareness - Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy. Note: Security ID (SID) feature is off by default. Refer to R81 Identity Awareness Administration Guide for more information.

IPsec VPN

  • Ability to configure multiple ciphers for external Gateways in a single VPN community. Use granular encryption methods between two specific VPN peers.
  • Support for SHA-512 encryption method.

Mobile Access

  • A fresh and modern user interface with improved user experience:
    • Redesigned scan results.
    • Discontinued the SNX connection pop-up.
    • Greater accessibility for non-English speakers.
    • Launch all applications in separate tabs without losing the main page window.
    • One click sign-out.
    • Simplified customization to easily utilize brand identities.
    • Full support for mainstream browsers that run on all major platforms.
  • Clientless RDP and SSH access through Mobile Access Blade's browser portal using Apache's Guacamole™ software suite.
  • Support for custom AD attributes to allow mapping of end-users to their office desktops for personalized portal link display and Access Control.
  • SMB v2/3 mount support in Mobile Access blade.

Mobile Access Portal Agent

Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.

Acceleration

  • Enhanced Multi-Queue distribution of IPsec VPN traffic.

Advanced Routing

  • Enhancements for additional Dynamic Routing features:
    • OSPFv3 AH authentication for OSPFv3 protocol security.
    • IPv6 route aggregation - Reduces the number of prefixes advertised to neighbor routers to improve performance and scaling.
    • IPv4/IPv6 NAT-pool routes - Configure and redistribute NAT-pool routes to routing protocols.
    • Routing Information Protocol (RIP) route sync.
    • PIM restart capability.


Downloads

Important: For a list of all Maestro-supported appliances, refer to sk162373.  
Security Appliances
Take  Appliances Package Comments
R81 Take 396 Refer to sk162373. (ISO) You must install R81 JHF Take 10 (or higher). Refer to sk170114
Orchestrator
R80.20SP Take 295 (and above) N / A Refer to sk155832. R80.20SP JHF Take 295 (and above).


Known Limitations

Refer to sk148074: Known Limitations for Scalable Platform and Maestro Appliances

Documentation

Datasheets
Maestro Hyperscale Orchestrator Datasheet
Port Mapping for Quantum Maestro Orchestrators
User Guides
Scalable Platforms R81 Release Notes
Quantum Maestro Orchestrator Quick Start Guide for MHO-140 and MHO-170
Quantum Maestro Getting Started Guide
Maestro R81 Administration Guide
Chassis Getting Started Guide
Chassis R81 Installation and Upgrade Guide
Chassis R81 Administration Guide
Scalable Platforms Gaia R81 Administration Guide
Scalable Platforms Performance Tuning R81 Administration Guide
Scalable Platforms Security Gateway R81 Administration Guide
R81 Scalable Platforms VSX Administration Guide
Related Solutions
sk170425 - Comparison between R81 and R81SP
sk170696 - How to upgrade a Maestro Security Group from the R80.20SP / R80.30SP versions to the R81 for Scalable Platforms version
sk148074 - Known Limitations for Scalable Platform and Maestro Appliances


Revision History

Show / Hide this section

Date Description
10 April 2021 In the "Documentation" table added the "Datasheets" section
02 April 2021 In the "Downloads" table added software versions "R81" and "R80.20SP"
14 Dec 2020 First release of this document

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment